Sophos

W32/Forbot-K

Aliases
  • Backdoor.Win32.ForBot.k
  • W32/Sdbot.worm.gen
  • WORM_SDBOT.OU
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
  • Web downloads
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 25 August 2004 08:03:50 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SVX Control Service = svxhost.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe
HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe

and delete them if they exist.

Close the registry editor.

Download and install the Microsoft patches mentioned. On standalone computers, update with all relevant security patches from Windows update.

More Information

W32/Forbot-K is a network worm and IRC backdoor Trojan. W32/Forbot-K is a network worm with backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as svxhost.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SVX Control Service = svxhost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe

Once installed, W32/Forbot-K connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:

  • flood a remote host (by either ping or HTTP)
  • start a SOCKS4 proxy server
  • start an FTP server
  • portscan randomly-chosen IP addresses
  • execute arbitrary commands
  • steal information such as passwords and product keys
  • upload/download files
  • manipulate the local filesystem
  • edit the system registry

The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and machines infected by any of the Troj/Optix family of backdoor Trojans.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer